Do you patch servers that do not access the internet ?

Hello all,

For years I have been a robot and patching all systems - desktops and
servers as MS releases them. I do test them first, then install via WSUS.

I have been thinking more ---- I have quite a few servers that do not access
the internet --- there are patches for the OS - Server 2000/2003, IE6/7, yet
I'm questioning myself ---- why patch the server OS and IE on those servers
if they don't access the internet. I would say definately all of my LAN
desktops, and just the servers that access the internet --- Exchange, FTP,
web server, the other servers, don't patch. All systems on the LAN do have
antivirus/spyware installed, my Exchange server also have Mail security for
SMTP installed.

So ---- what are your feelings/what do you practice ---- just patch servers
that access the internet ?

Thanks,
Bob

Hello Bob,

Definitely YES. All Virus etc. can also come with USB stick, disks etc.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hello all,
>
> For years I have been a robot and patching all systems - desktops and
> servers as MS releases them. I do test them first, then install via
> WSUS.
>
> I have been thinking more ---- I have quite a few servers that do not
> access the internet --- there are patches for the OS - Server
> 2000/2003, IE6/7, yet I'm questioning myself ---- why patch the server
> OS and IE on those servers if they don't access the internet. I would
> say definately all of my LAN desktops, and just the servers that
> access the internet --- Exchange, FTP, web server, the other servers,
> don't patch. All systems on the LAN do have antivirus/spyware
> installed, my Exchange server also have Mail security for SMTP
> installed.
>
> So ---- what are your feelings/what do you practice ---- just patch
> servers that access the internet ?
>
> Thanks,
> Bob

"moncho" <> wrote in message
news:j0wtl.14505$...
> Bob wrote:
>> Hello all,
>>
>> For years I have been a robot and patching all systems - desktops and
>> servers as MS releases them. I do test them first, then install via WSUS.
>>
>> I have been thinking more ---- I have quite a few servers that do not
>> access the internet --- there are patches for the OS - Server 2000/2003,
>> IE6/7, yet I'm questioning myself ---- why patch the server OS and IE on
>> those servers if they don't access the internet. I would say definately
>> all of my LAN desktops, and just the servers that access the internet ---
>> Exchange, FTP, web server, the other servers, don't patch. All systems on
>> the LAN do have antivirus/spyware installed, my Exchange server also have
>> Mail security for SMTP installed.
>>
>> So ---- what are your feelings/what do you practice ---- just patch
>> servers that access the internet ?
>>
>> Thanks,
>> Bob
>>
> What happens if a Trojan/Worm/Virus infects a workstation
> that accesses an un-patched non-Internet accessing server?
>
> Seems that server would be vulnerable too.
>
> If you locked down each server to the bare minimum of
> services for the server task, then you could possibly install
> less patches.

And what happens if some of the individuals that might like to try to take
advantage of the vulnerabilities being patched happen to work for your
company?

/Al

In message <eq6ul.14616$> moncho
<> was claimed to have wrote:

>Al Dunbar wrote:
>> "moncho" <> wrote in message
>> news:j0wtl.14505$...
>>> Bob wrote:
>>>> Hello all,
>>>>
>>>> For years I have been a robot and patching all systems - desktops and
>>>> servers as MS releases them. I do test them first, then install via WSUS.
>>>>
>>>> I have been thinking more ---- I have quite a few servers that do not
>>>> access the internet --- there are patches for the OS - Server 2000/2003,
>>>> IE6/7, yet I'm questioning myself ---- why patch the server OS and IE on
>>>> those servers if they don't access the internet. I would say definately
>>>> all of my LAN desktops, and just the servers that access the internet ---
>>>> Exchange, FTP, web server, the other servers, don't patch. All systems on
>>>> the LAN do have antivirus/spyware installed, my Exchange server also have
>>>> Mail security for SMTP installed.
>>>>
>>>> So ---- what are your feelings/what do you practice ---- just patch
>>>> servers that access the internet ?
>>>>
>>>> Thanks,
>>>> Bob
>>>>
>>> What happens if a Trojan/Worm/Virus infects a workstation
>>> that accesses an un-patched non-Internet accessing server?
>>>
>>> Seems that server would be vulnerable too.
>>>
>>> If you locked down each server to the bare minimum of
>>> services for the server task, then you could possibly install
>>> less patches.
>>
>> And what happens if some of the individuals that might like to try to take
>> advantage of the vulnerabilities being patched happen to work for your
>> company?
>>
>> /Al
>
>I'm with ya on that one. All good reasons to keep everything up-to-date
>as much as possible.
>
>If you know your employees are the ones trying to take advantage of the
>vulnerabilities and it is not their job to do so, then fire and
>prosecute.

The key words being "if you know" -- Until you know, those well
documented but unpatched vulnerabilities are like candy.